WP Statistics Plugin Leaks Sensitive Analytics Data on WordPress

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

WP Statistics Plugin Leaks Sensitive Analytics Data on WordPress

CVE-2026-3488

Summary

The WP Statistics plugin on WordPress websites has a flaw that allows attackers to access sensitive data, such as user information and analytics, by exploiting a lack of proper security checks. This affects all versions up to 14.16.4. Website owners should update the plugin to the latest version to fix this issue.

Original title

Original description

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including `wp_statistics_get_filters`, `wp_statistics_getPrivacyStatus`, `wp_statistics_updatePrivacyStatus`, and `wp_statistics_dismiss_notices`. These endpoints only verify a `wp_rest` nonce via `check_ajax_referer()` but do not enforce any capability checks such as `current_user_can()` or the plugin's own `User::Access()` method. Since the `wp_rest` nonce is available to all authenticated WordPress users, this makes it possible for authenticated attackers, with Subscriber-level access and above, to access sensitive analytics data (user IDs, usernames, emails, visitor tracking data), retrieve and modify privacy audit compliance status, and dismiss administrative notices.

nvd CVSS3.1 6.5

Vulnerability type

CWE-862 Missing Authorization

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026